Skip to content

Latest commit

 

History

History
66 lines (41 loc) · 2.28 KB

process-creation.md

File metadata and controls

66 lines (41 loc) · 2.28 KB

Process Creation

Sysmon will log EventID 1 for the creation of any new process when it registers with the kernel.

Sysmon will generate a ProcessGuid and LogonGuid with the information it obtains and it will hash the process main image. The command line of the process will be parsed and logged in to eventlog. When storage permits a common practice is to log all processes and to filter out common day to day processes for Windows and Applications after profiling usage.

The fields on a process creation event are:

  • ProcessGuid -- Unique process GUID generated by Sysmon.

  • ProcessId -- Process ID represented as a integer number.

  • Image -- Full path of the executable image that was executed.

  • FileVersion -- File version filed in the image metadata.

  • Description -- Description field in the image metadata.

  • Product -- Product field in the image metadata.

  • Company - Company field in the image metadata.

  • OriginalFileName -- Original image name if renamed.

  • CommandLine -- Command line that executed the image.

  • CurrentDirectory -- Directory under which the image was executed.

  • User - Name of the account who created the process (child) . It usually contains domain name and user name

  • LogonGuid - Logon GUID of the user who created the new process.

  • LogonId -Login ID of the user who created the new process.

  • TerminalSessionId - ID of the session the user belongs to

  • IntegrityLevel - Integrity label assigned to a process

  • Hashes - Full hash of the file with the algorithms in the HashType field.

  • ParentProcessGuid - ProcessGUID of the process that spawned/created the main process (child)

  • ParentProcessId - Process ID of the process that spawned/created the main process (child)

  • ParentImage - File path that spawned/created the main process.

  • ParentCommandLine - Arguments which were passed to the executable associated with the parent process

Sysmon offers an advantage over the regular process logging since it not only pulls the same information as with EventID 4688 but it also pulls information from the PE header, hashes the images for correlation with IOC databases like Virus Total and it also provides unique fields when querying for events.